Detection rules › Splunk
Unusual Number of Remote Endpoint Authentication Events
The following analytic identifies an unusual number of remote authentication attempts from a single source by leveraging Windows Event ID 4624, which logs successful account logons. It uses statistical analysis, specifically the 3-sigma rule, to detect deviations from normal behavior. This activity is significant for a SOC as it may indicate lateral movement, malware staging, or reconnaissance. If confirmed malicious, this behavior could allow an attacker to move laterally within the network, escalate privileges, or gather information for further attacks.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078 Valid Accounts |
| Persistence | T1078 Valid Accounts |
| Privilege Escalation | T1078 Valid Accounts |
| Defense Evasion | T1078 Valid Accounts |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4624 | An account was successfully logged on. |
Stages and Predicates
Stage 1: search
search Account_Name!="*$" EventCode=4624 Logon_Type=3
Stage 2: eval
eval ... using (Account_Name)
Stage 3: bucket
bucket span=2m _time
Stage 4: stats
stats dc(ComputerName) AS unique_targets, … AS target_hosts BY _time, Source_Network_Address, Source_Account
Stage 5: eventstats
eventstats avg(unique_targets) AS comp_avg BY Source_Network_Address, Source_Account
Stage 6: eval
eval ... using (comp_avg, comp_std)
Stage 7: eval
eval ... using (unique_targets, upperBound)
Stage 8: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Account_Name | ne |
|
EventCode | eq |
|
Logon_Type | eq |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows Rapid Authentication On Multiple Hosts (adds 1 filter)
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Potential Account Takeover - Mixed Logon Types (drops 3 filters this rule applies)
- Potential Account Takeover - Logon from New Source IP (drops 3 filters this rule applies)
- External Remote SMB Logon from Public IP (drops 2 filters this rule applies)